on Fri, Oct 15, 2004 at 05:24:27PM +0200, Alex Broens wrote:
Do we see any FPs in those?
medica.de= large German Medical Exhibition in Duesseldorf. Definitely not a spamhaus.
If I might recommend a strategy for cleaning up FPs in mass submissions?
There's a well-known ratware package that forges the HELO and sender domain from among a huge list of ccTLDs. e.g.:
Received: from cibo.be (DWM-21-63.go.retevision.es [81.60.63.21]) by serrano.hesketh.net (8.12.11/8.12.8) with SMTP id i55DcmW1015907 for <snip>; Sat, 5 Jun 2004 09:39:12 -0400 Message-ID: ed6201c44b8d$4e62a4a2$9181555a@cibo.be From: "Ian Monroe" monroezh@cilme.it
cibo.be, cilme.it are innocent victims, but it's likely that if you see a bare ccTLD domain in the HELO and a ccTLD in the From: header, and the message has a Message-ID header of the HELO domain, and it was sent via a likely spam zombie, it's spam. (YMMV)
So, I'd quarantine/remove all ccTLD domains from mass submissions until such time as they can be checked manually. It was a large source of FPs here when I started using my domain blacklist (built from many sources, unfortunately including HELOs from this ratware package before I knew what it was).